Senate Republicans to introduce contact tracing privacy bill

U.S. Sens. Roger Wicker (R-Miss.) and John Thune (R-S.D.) say they will file the COVID-19 Consumer Data Protection Act. The bill “would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data,” according to a press release. Joining in crafting the legislation are Sens. Jerry Moran (R-Kan.) and Marsha Blackburn (R-Tenn.)

The legislation would tighten up requirements for companies seeking to help health agencies with contact tracing efforts, in which federal or state health officials would interview people who have become infected with coronavirus and then trace each person who has come into contact with that person while they were contagious. The idea is to stop the spread of the virus by having people who have had contact with an infected person monitor themselves for symptoms and self-isolate for at least 14 days.

Contact tracing is being pursued aggressively in several states being hit hard by coronavirus, including California, Massachusetts, and New York, according to the health news site STAT. These contact tracing efforts currently underway are time-consuming and relatively low-tech, involving health officials calling individuals and then checking back in with them periodically.

Some companies, like Apple and Google, have offered software that would allow Android and iOS devices to communicate with each other, to aid in contact tracing efforts. These efforts are seen as laying the groundwork for contact tracing apps on people’s phones that would alert them when their phone came within six feet of a person who reported being infected with coronavirus. Such technology has the potential to dramatically increase the scope of contact tracing but brings with it concerns about the collection and use of an individual’s health and location information by private companies.

The proposed act would require companies under the jurisdiction of the FTC to “obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.”

Companies would also have to disclose to consumers how their data will be handled, to whom it will be transferred, and how long it will be retained. Consumers could also opt out of the “collection, processing, or transfer of their personal health, geolocation, or proximity information.”

Data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse. I will be introducing legislation to address this critical issue. https://t.co/QULAqSR13p

— Senator Roger Wicker (@SenatorWicker) April 30, 2020

Companies would also have to let consumers know how they are working to shield their identity from being revealed and to delete the data once it is no longer needed. In addition to the FTC, provisions of the act would be enforced by state attorneys general.

One privacy group criticized the legislation as a “privacy cure worse than the disease,” and said it fails to provide privacy protection for consumers and lacks enforcement teeth.

“…The bill gratuitously preempts the much stronger [Federal Communications Commission] privacy protections governing mobile carriers,” said Sara Collins, policy counsel at Public Knowledge, a privacy group, in a statement. “These protections have been used to ensure data on mobile phones are not shared with third parties without the user’s permission. As a final insult to consumer privacy, the bill would preempt the states from adopting or enforcing any stricter privacy protections in the absence of strong federal protections at the FTC.”